Vous voulez voir cette page en français ? Cliquez ici.


or
Sign in to turn on 1-Click ordering.
or
Amazon Prime Free Trial required. Sign up when you check out. Learn More
More Buying Choices
Have one to sell? Sell yours here
Tell the Publisher!
I'd like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

The Executive Guide to Information Security: Threats, Challenges, and Solutions [Paperback]

Mark Egan , Tim Mather
5.0 out of 5 stars  See all reviews (1 customer review)
List Price: CDN$ 46.99
Price: CDN$ 29.60 & FREE Shipping. Details
You Save: CDN$ 17.39 (37%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Only 1 left in stock (more on the way).
Ships from and sold by Amazon.ca. Gift-wrap available.
Want it delivered Thursday, October 23? Choose One-Day Shipping at checkout.
Join Amazon Student in Canada


Book Description

Nov. 30 2004 0321304519 978-0321304513 1
Preface Preface Who Is This Book For This book is devoted to executives who could benefit from a crash course on information security. We know that you are quite busy, so you need practical recommendations that you can implement quickly. In this book, information security concepts are explained in nontechnical terms to enable executives from any discipline to quickly understand key principles and how to apply them to their business. This book provides a pragmatic approach to evaluating security at your company and putting together an information security program. Key elements of the program include staffing this function at your company, putting the necessary internal processes in place, and implementing the appropriate technology. Business executives will find this book a good primer for understanding the key existing and future security issues and for taking the necessary actions to ensure the protection of their enterprise s information assets. Information Security Background Information security is no longer an issue that is the responsibility of lower-level staff in the information technology IT department. Companies are now conducting a significant portion of their business electronically and need to be confident that their systems are safe and secure. This issue has now been escalated to the Board of Director level, and companies need to take information security seriously. The passage of the Sarbanes-Oxley Act has caused boards and especially audit committees to get much more involved in monitoring the performance and security of key information systems. This act requires companies to make new disclosures about internal controls and includes significant penalties and possible prison terms for executives of companies that are not in compliance. When I started with Symantec in 1999, information security was slowly becoming a major issue that executives had to address. More business was being conducted on the Internet, and system outages gained much more attention from the media. Many companies did not have formal information security programs, and security issues were addressed in an "ad hoc" fashion. Technology solutions at that time consisted mainly of firewalls and anti-virus software that operated independently. One of my challenges with my new position was to quickly gain an understanding of information security because Symantec had shifted its focus to address this market. Most of the literature that was available was very technical and did not provide a good overview for executives of how to put an effective information security program in place. Considering that I had spent the prior 25 years working in information technology, this would have been even more difficult for executives from other disciplines to understand. The industry has changed considerably over the past few years, and a simple virus that was a minor annoyance in the past has shifted to major threats such as Code Red that have caused major disruptions to businesses. Unfortunately, the future does not hold much promise for things to improve, and businesses will need to devote much more attention to this area. The objective of this book is to provide a shortcut for executives to learn more about information security and how it will affect their business in the future. An overview of information security concepts is provided so that executives can be better prepared to evaluate how their company is addressing information security. Pragmatic approaches are provided to assist companies in improving their information security programs. How This Book Is Organized This book focuses on three key themes: people, processes, and technology. These are the key elements of an effective information security program, and it is important to balance these components of the program. Considerable attention has been given to technology in the media and information security literature. However, this is just one element of an effective overall program. The best technology is not going to help if you do not have good staff and processes in place. This book is organized according to the steps you would follow to develop an information security program for your company. Chapter 1, "The Information Security Challenge," provides an overview of information security challenges and why executives should pay attention to the potential risks that these challenges pose to their business. A historical review of the Internet and information security incidents is also covered, and the chapter offers some insight into the power and vulnerability of conducting business electronically. Chapter 2, "Information Security Overview," provides an introduction to information security and the key elements of an effective program. The Security Evaluation Framework is introduced in Chapter 3, "Developing Your Information Security Program," and can be used to evaluate your information security program and develop a roadmap to improve your program. The overall methodology is reviewed, along with the critical areas to ensure success. The next three chapters are devoted to evaluating the people, process, and technology components of your information security program and developing an improvement plan. Chapter 7, "Information Security Roadmap," pulls all this analysis together and describes how to develop your roadmap to an improved information security program that is appropriate for your company. Future trends for information security are reviewed in Chapter 8, "View into the Future," which offers some insight into emerging threats and industry solutions to address these threats. This field is changing rapidly, and it is important to always keep up to date on the latest events. The final chapter lists the 10 essential components to an effective information security program and offers a good summary for anyone who wants to quickly identify areas for improvement. Additional sources of information and references are included in the appendixes. One final point is that this book is written from a vendor-neutral perspective; it does not contain references to commercially available security products and services. The focus is on industry best practices for information security. Due to the rapid changes in this industry, it is difficult to predict which companies will lead as the market evolves. The concepts outlined in this book can serve as a guide to choosing the appropriate products and services to support your program today and in the future. /> Copyright Pearson Education. All rights reserved.

Special Offers and Product Promotions

  • Join Amazon Student in Canada


Customers Who Bought This Item Also Bought


Product Details


Product Description

From the Inside Flap

PrefacePrefaceWho Is This Book For

This book is devoted to executives who could benefit from a crash course on information security. We know that you are quite busy, so you need practical recommendations that you can implement quickly. In this book, information security concepts are explained in nontechnical terms to enable executives from any discipline to quickly understand key principles and how to apply them to their business.

This book provides a pragmatic approach to evaluating security at your company and putting together an information security program. Key elements of the program include staffing this function at your company, putting the necessary internal processes in place, and implementing the appropriate technology. Business executives will find this book a good primer for understanding the key existing and future security issues and for taking the necessary actions to ensure the protection of their enterprise's information assets.

Information Security Background

Information security is no longer an issue that is the responsibility of lower-level staff in the information technology (IT) department. Companies are now conducting a significant portion of their business electronically and need to be confident that their systems are safe and secure. This issue has now been escalated to the Board of Director level, and companies need to take information security seriously. The passage of the Sarbanes-Oxley Act has caused boards and especially audit committees to get much more involved in monitoring the performance and security of key information systems. This act requires companies to make new disclosures about internal controls and includes significant penalties and possible prison terms for executives of companies that are not in compliance.

When I started with Symantec in 1999, information security was slowly becoming a major issue that executives had to address. More business was being conducted on the Internet, and system outages gained much more attention from the media. Many companies did not have formal information security programs, and security issues were addressed in an "ad hoc" fashion. Technology solutions at that time consisted mainly of firewalls and anti-virus software that operated independently.

One of my challenges with my new position was to quickly gain an understanding of information security because Symantec had shifted its focus to address this market. Most of the literature that was available was very technical and did not provide a good overview for executives of how to put an effective information security program in place. Considering that I had spent the prior 25 years working in information technology, this would have been even more difficult for executives from other disciplines to understand.

The industry has changed considerably over the past few years, and a simple virus that was a minor annoyance in the past has shifted to major threats such as Code Red that have caused major disruptions to businesses. Unfortunately, the future does not hold much promise for things to improve, and businesses will need to devote much more attention to this area.

The objective of this book is to provide a shortcut for executives to learn more about information security and how it will affect their business in the future. An overview of information security concepts is provided so that executives can be better prepared to evaluate how their company is addressing information security. Pragmatic approaches are provided to assist companies in improving their information security programs.

How This Book Is Organized

This book focuses on three key themes: people, processes, and technology. These are the key elements of an effective information security program, and it is important to balance these components of the program. Considerable attention has been given to technology in the media and information security literature. However, this is just one element of an effective overall program. The best technology is not going to help if you do not have good staff and processes in place.

This book is organized according to the steps you would follow to develop an information security program for your company. Chapter 1, "The Information Security Challenge," provides an overview of information security challenges and why executives should pay attention to the potential risks that these challenges pose to their business. A historical review of the Internet and information security incidents is also covered, and the chapter offers some insight into the power and vulnerability of conducting business electronically.

Chapter 2, "Information Security Overview," provides an introduction to information security and the key elements of an effective program. The Security Evaluation Framework is introduced in Chapter 3, "Developing Your Information Security Program," and can be used to evaluate your information security program and develop a roadmap to improve your program. The overall methodology is reviewed, along with the critical areas to ensure success. The next three chapters are devoted to evaluating the people, process, and technology components of your information security program and developing an improvement plan. Chapter 7, "Information Security Roadmap," pulls all this analysis together and describes how to develop your roadmap to an improved information security program that is appropriate for your company.

Future trends for information security are reviewed in Chapter 8, "View into the Future," which offers some insight into emerging threats and industry solutions to address these threats. This field is changing rapidly, and it is important to always keep up to date on the latest events. The final chapter lists the 10 essential components to an effective information security program and offers a good summary for anyone who wants to quickly identify areas for improvement. Additional sources of information and references are included in the appendixes.

One final point is that this book is written from a vendor-neutral perspective; it does not contain references to commercially available security products and services. The focus is on industry best practices for information security. Due to the rapid changes in this industry, it is difficult to predict which companies will lead as the market evolves. The concepts outlined in this book can serve as a guide to choosing the appropriate products and services to support your program today and in the future.

© Copyright Pearson Education. All rights reserved.

From the Back Cover

Praise for The Executive Guide to Information Security

"In today's world, no business can operate without securing its computers. This book conveys that message in clear, concise terms and acts as a tremendous primer to CEOs."

from the Foreword by Richard A. Clarke

"Every CEO is responsible for protecting the assets of their corporation–the people, intellectual property, corporate and customer information, infrastructure, network, and computing resources. This is becoming both more important and more difficult with the rise in the number and sophistication of cyber threats. This book helps the CEO understand the issues and ask the right questions to implement a more effective strategy for their business."

Steve Bennett, president and CEO, Intuit

"Mark Egan and Tim Mather help nontechnical executives gain a comprehensive perspective over the security challenges that all companies face today. This book is well structured and practical. Yet, it also stresses that a strategic approach to cyber security is essential, and that "tone at the top" will determine the effectiveness of any corporate cyber security policy."

Eric Benhamou, chairman of the board of directors, 3Com Corporation, palmOne, and PalmSource, Inc

"This book is not about cyber security; it's about managing one's company and the role that cyber security plays in that scenario. It's chilling to think of how vulnerable the assets of a business are on a computer network; this book is a fire alarm in the night for business executives to realize computer security is not a tech issue–it's a business issue worthy of the same attention and priority that business executives might place on any other mission-critical element of their company."

George Reyes, CFO, Google

"This is a must read for any executive of any size company. The Internet makes all businesses equal in that they are subject to the same types of threats regardless of their product. In this book, the CIO and security director of one of the top security companies makes the business case for security and tells you what to do to successfully mitigate threats."

Howard A. Schmidt, former cyber security advisor to the White House, CSO Microsoft, and VP CISO eBay

"This book gives an excellent overview of the issues around securing information at a time in our history when information is extremely vulnerable to outside attack, retrieval, or manipulation. Steps taken now can make a huge difference to a company's ability to survive and thrive in a heterogeneous attack culture."

Bob Concannon, Global Practice Leader, Boyden Global Executive Search

"Few if any books expose the business executive to the serious and critical nature of existing and evolving security issues using nontechnical terms. Executives can no longer afford to delegate the responsibility and accountability for security without understanding the issues and without assuming the ultimate responsibility for security in the firm. This book should become required reading for every business executive, regardless of product or company size."

John Moreno, chair, MS in Information Technology, Golden Gate University

"This book details the what, why, and how to solve issues of information security in business today. It gives examples many people will recognize from the press, discusses the basics of information security in a very understandable way, and reviews approaches for addressing these risks and threats."

David Schwartz, managing director, Derivative Products Risk Advisors, Inc.

"This book fills a void by addressing the key criteria executives need to consider when implementing an effective information security plan within their organization."

Shobana Gubbi, former project manager of IOS Technologies, Cisco

A Business-Focused Information Security Action Plan for Every Executive

Today, every executive must understand information security from a business perspective. Now, this concise book tells business leaders exactly what they need to know to make intelligent decisions about security–without ever getting lost in the technical complexities.

The Executive Guide to Information Security offers realistic, step-by-step recommendations for evaluating and improving information security in any enterprise. From start to finish, the focus is on action: what works and how to get it done. Here are just a few of the things you will be learning:

  • Understanding your security challenges and obligations

  • Trends in security attacks

  • Systematically identifying your risks and vulnerabilities

  • Implementing best-practice processes for access, acceptable use, training, strategy, and emergency response

  • Effective executive leadership, governance, and metrics

  • Staffing security–coping with a shortage of expertise

Whether you're a CxO, a line-of-business executive, or an IT executive who needs to get colleagues up to speed, this is the nontechnical, business-driven security briefing you've been searching for.

Mark Egan is chief information officer and vice president of the Information Technology Division of Symantec. In this role, he is responsible for all internal systems and security at Symantec. Egan is the co-chair of TechNet's Cyber Security Best Practices Campaign and a frequent speaker on best practices for information security and information technology.

TIM MATHER, Symantec's vice president and chief information security officer, is responsible for Symantec's information security program. Mather is a Certified Information Systems Security Professional and a Certified Information Systems Manager.

The authors' profits from this book will support a scholarship program for underprivileged students planning IT careers.


© Copyright Pearson Education. All rights reserved.


Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more

Customer Reviews

4 star
0
3 star
0
2 star
0
1 star
0
5.0 out of 5 stars
5.0 out of 5 stars
Most helpful customer reviews
5.0 out of 5 stars Lives up to it's title March 24 2005
Format:Paperback
This book is a very useful tool for getting non-IT executives to understand the imperative behind maintaining an information security management program.
Was this review helpful to you?
Most Helpful Customer Reviews on Amazon.com (beta)
Amazon.com: 4.5 out of 5 stars  12 reviews
12 of 13 people found the following review helpful
4.0 out of 5 stars Great resource, but boring at times Feb. 9 2005
By Dr Anton Chuvakin - Published on Amazon.com
Format:Paperback
A fun book on security for executives and managers? Unbelievable, you'd say? This one ("The Executive Guide to Information Security") comes pretty close.

On the down side, do not look at this book for technology coverage. Almost total lack of coverage of intrusion prevention, spyware, spam as well as some Symantec bias (understandable, considering the publisher) make this book much stronger on the policy, process and "big picture" coverage rather on modern technical threats and countermeasures. Slightly confusing coverage of vulnerability management also falls in the same category. However, given the target audience of CEOs and CFOs, this is certainly excusable.

The book introduces the executives to basic security concepts such as "defense-in-depth", "people, process, technology", etc, and goes into details on using them for organizing security for their organizations.

I also appreciated the sections on planning and executing a security strategy and measuring security by using various included checklists and questionnaires. 50-point security evaluation framework based on"best practices" was another valuable piece. The books also address one of the important questions of organizational security: in-house vs outsourced security.

Regulations and laws also occupy a significant part of the book. The coverage is high-level and provides few details, appropriate given the target audience. A section on future security was pretty insightful and enjoyable to read!

Overall, I think the book will be one of the first (and, so far, best) books about security for the "C-level" crowd.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
9 of 11 people found the following review helpful
5.0 out of 5 stars Excellent Reference for Executive Management Nov. 7 2004
By sixmonkeyjungle - Published on Amazon.com
Format:Paperback
Mark Egan and Tim Mather have done a great job in my opinion of boiling the wide range of topics and information related to corporate network security down to an "executive summary" highlighting the key areas that executive leadership needs to understand in order to make decisions and lead effectively.

This book provides an overview of the history and current state of information security and an appropriate amount of detail for an executive to understand trends in technologies and threats and how to assess risks, hire competent I.T. staff and a general overview of best practices and practical solutions.

The appendices provide a wealth of additional information such as template job descriptions for specific I.T. roles and a listing of information security web sites for reference.

This book covers a little about a lot, and even that lot is aimed at managers and executive leadership. Don't get this book if you are looking for details about any aspect of computer security or even if you are looking for a comprehensive, broad coverage of information security for the "working class". For executive leaders looking to gain an understanding of I.T. to ensure that their networks are properly protected though this is an excellent resource.

[...]
2 of 2 people found the following review helpful
4.0 out of 5 stars More Phishing Analysis Dec 17 2004
By W Boudville - Published on Amazon.com
Format:Paperback
The authors write a timely management level briefing on the current key issues in information security. Directed at not just the CEO of any company, as the cover might suggest. The audience of this book arguably includes not just executives involved in IT, but also the technical IT personnel themselves who may, or rather, will, confront such issues on a daily basis.

Perhaps the most important section is Chapter 8, discussing future threats. It starts with an example of a phishing attack on a company. The chapter then goes onto describe possible trends in attacks over the next few years. Sadly, once past the phishing example, the chapter does not talk any more about phishing. Given the realities of book publishing, the chapter was probably written in the first half of 2004. Yet as 2004 draws to a close, it has seen a huge global rise in phishing. So the chapter is already somewhat dated, through no fault of the authors.

Were the chapter to be rewritten now (December 2004), I imagine phishing would, or should, receive far more detailed scrutiny. While it might be objected that phishing is only one type of attack, its current direct monetary costs to banks and the month on month rise in the frequency of attacks make it a prime menace.
3 of 4 people found the following review helpful
5.0 out of 5 stars Should be the basis of an executive study group Dec 19 2004
By Charles Ashbacher - Published on Amazon.com
Format:Paperback
An effective security policy can only be the result of a systemic operation, which means that it must be supported at the executive level. To be supported, it must first be understood, therefore all executives must have a broad knowledge of the need for security and some of the particulars as to how it is implemented. This book provides that information.

While it is necessary to use some technical jargon in order to explain the basics of computer security, it is kept to a minimum. The three components of an effective security program: people, process and technology are each explained in a separate chapter. There are several questionnaire/checklist style worksheets, where you can fill them in and get some idea regarding the current status of your company. These are excellent ways to get a snapshot of how vulnerable your company is. One simple addition that many executives will find valuable is a collection of example job descriptions for security personnel. These positions are difficult to describe and fill, so even the smallest bit of assistance is of great value.

There are very few books that should be the subject of a study group of the executives of a company. This is one of them, each executive should be given a copy, and then forced to read and study it as a group. It is one of the few ways to guarantee that security is given the consideration that all executives need to apply. In these dangerous times, failure to do so can literally be a matter of life and death for some companies.
5.0 out of 5 stars An Executive-level Resource... April 29 2008
By D.S.Thurlow - Published on Amazon.com
Format:Paperback|Verified Purchase
Mark Egan's 2004 "The Executive Guide to Information Security" is, as promised, an executive guide, written in layman's language, for planning and executing information security policy in a corporate environment. Egan clearly understands the basics of good security planning and the challenges of the information environment in which business now operates; he marries the two to provide a step by step guide for the busy corporate executive.

Egan provides a framework and the necessary explanations to allow the business executive to understand the information security perimeter of his business. He identifies the essential components of a successful information security program and the information tools available to defend the business enterprise. The step by step development and execution of an information security program reinforces the importance of active ownership of the program and its results within the company or corporation, and the importance of ensuring that the security program facilitates the business of the business. Egan emphasizes the need for good metrics and constant monitoring; the successful information security program is a dynamic one.
Egan's guide is oriented on the business executive who thinks he needs an information security program (hint: he or she almost certainly does). Information technology tech-heads will find the book less specific on actual threats and countermeasures; any book published in 2004 would already be out of date at that level of detail.

"The Executive Guide to Information Security" is very highly recommended as a basic guide to the threats, challenges, and solutions of an information technology-based business environment.
Search Customer Reviews
Only search this product's reviews

Look for similar items by category


Feedback